Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-10895

Basic auth extension's JAAS config can be corrupted by other plugins

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.1.1, 2.3.0, 2.2.1, 2.2.2, 2.4.0, 2.3.1, 2.5.0, 2.4.1, 2.6.0, 2.5.1, 2.7.0
    • 2.3.2, 2.4.2, 2.5.2, 2.8.0, 2.7.1, 2.6.2
    • KafkaConnect
    • None


      The Connect BasicAuthSecurityRestExtension's doc states that "An entry with the name KafkaConnect is expected in the JAAS config file configured in the JVM."

      This is technically accurate, as the JaasBasicAuthFilter that the extension installs creates a LoginContext using a constructor that does not include a Configuration to be passed in, which causes Configuration::getConfiguration to be used under the hood by the LoginContext to fetch the JAAS configuration to use for authentication.

      Unfortunately, other plugins (connectors, converters, even other REST extensions, etc.) may invoke Configuration::setConfiguration and install a completely different JAAS configuration onto the JVM. If the user starts their JVM with a JAAS config set via the -Djava.security.auth.login.config property, that JAAS config can then be completely overwritten, and if the basic auth extension depends on the JAAS config that's installed at startup (as opposed to at runtime by a plugin), it will break.

      It's debatable whether this can or should be addressed with a code fix. One possibility is to cache the current JVM's configuration as soon as the basic auth extension is loaded by invoking Configuration::getConfiguration and saving the resulting configuration for future LoginContext instantiations. However, it may be possible that users actually rely on runtime plugins being able to install custom configurations at runtime for their basic auth extension, in which case this change would actually be harmful.

      Regardless, it's worth noting this odd behavior here in the hopes that it can save some time for others who encounter the same issue.



          This comment will be Viewable by All Users Viewable by All Users


            ChrisEgerton Chris Egerton
            ChrisEgerton Chris Egerton
            0 Vote for this issue
            4 Start watching this issue




                Issue deployment